By Jeremy Ward, Security Services Development Lead
It is a truism to say, “you can’t manage what you don’t measure,” but how many organizations understand that when it comes to managing enterprise security risk? In almost every organization I visit I find that responsibility for managing information security risk is spread throughout many parts of the business. The result is that the enterprise lacks a clear understanding of what their risk is, how it’s being managed and who is taking responsibility.
No company is going to be able to solve this problem overnight. However, there are some initial steps you can take to get an all-round, coherent view of information and business risk management. First, you need to decide who in your organization should to be involved with information security risk management. Remember that it’s all about the business, not about IT or technology (although obviously these play a crucial role). Above all, we must involve people who understand how the business uses information and how important it is to ensure that this information is not tampered with and is only available when required by those who need access to it.
Risk can be measured by the likelihood that threats are able to exploit vulnerabilities and thus cause incidents that could have an impact on your business-critical assets. Those individuals you have identified as needing to be involved must to be brought together to take a strategic view of how these components (threats, vulnerabilities and incidents) can best be monitored and managed. HP has an interesting paper that explains the practical measures you need to take called Are you measurably reducing your business risks? Are you taking a strategic approach to risk mitigation?
It important that risk management and mitigation be viewed strategically. All too often, organizations take a tactical approach. This may sort out the immediate issues but it leaves faults in the underlying systems. For example, a business that has suffered serious data loss may decide to implement a technology designed to counter the threat without addressing the personnel and processes issues which made the enterprise vulnerable to the threat.
The principles of information security risk management are the same whatever the size of your organization. You need to be able to:
- Understand what information is critical
- Take a strategic approach to the management of threats, vulnerabilities and incidents
- Monitor and measure the effectiveness of your actions
In this way you can avoid business damage that you can not afford in these tough economic times.
If you’d like to learn more about how HP Enterprise Security is helping clients mitigate enterprise security risks, check out our a one day Security Discovery Workshop that enables organizations to take a holistic, pragmatic and strategic view of their information security risk issues and to determine their roadmap and immediate actions to better risk management.
Click here for more information on measurably reducing your business risk.